Ubuntu
kdeutils package

Ark directory traversal issue (CVE-2011-2725)

Bug #878619 reported by Scott Kitterman
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kdeutils (Ubuntu)
Fix Released
High
Unassigned
Lucid
Fix Released
High
Jamie Strandboge
Maverick
Fix Released
High
Jamie Strandboge
Natty
Fix Released
High
Jamie Strandboge
Oneiric
Fix Released
High
Jamie Strandboge
Precise
Fix Released
High
Unassigned

Bug Description

From the upstream KDE packager's mail list:

In the ark repository (git://anongit.kde.org/ark) there are now patches
to fix a path traversal issue. The CVE ID for this is CVE-2011-2725.

There is no embargo, although I likely won't get a security advisory up
for a day or two. Due to a coordination mishap between us and the
reporter (only discovered earlier today), the details were posted on a
full disclosure list quite some time ago, so please apply these as soon
as possible.

4.5: http://commits.kde.org/ark/6f6c0b1
4.6: http://commits.kde.org/ark/7cf0033
4.7: http://commits.kde.org/ark/ccb5448
master: http://commits.kde.org/ark/e88d227

Revision history for this message
Scott Kitterman (kitterman) wrote :

Making public since the fix is public and it was already published on full disclosure.

visibility: private → public
Changed in kdeutils (Ubuntu Precise):
status: New → Triaged
Changed in kdeutils (Ubuntu Oneiric):
status: New → Triaged
Changed in kdeutils (Ubuntu Natty):
status: New → Triaged
Changed in kdeutils (Ubuntu Maverick):
status: New → Triaged
Changed in kdeutils (Ubuntu Lucid):
importance: Undecided → High
Changed in kdeutils (Ubuntu Maverick):
importance: Undecided → High
Changed in kdeutils (Ubuntu Natty):
importance: Undecided → High
Changed in kdeutils (Ubuntu Oneiric):
importance: Undecided → High
Changed in kdeutils (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
Scott Kitterman (kitterman) wrote :

Probably affects Lucid, but didn't check the code and upstream didn't provide a fix, so not marking confirmed there.

Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Maverick):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Natty):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Oneiric):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Precise):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in kdeutils (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in kdeutils (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in kdeutils (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Just to provide an update here, because of the Kubuntu point releases in -updates combined with a newer kde4libs in -security for lucid-natty, I had to do several no-change rebuilds in -security so that kdeutils is installable. Because oneiric does not have a newer kde4libs, I will be publishing two updates for it: one in -security and one on -updates.

Revision history for this message
Jonathan Riddell (jr) wrote :

Will be included in 4.7.3 packages in precise

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdeutils - 4:4.7.2-0ubuntu1.1

---------------
kdeutils (4:4.7.2-0ubuntu1.1) oneiric-proposed; urgency=low

  * SECURITY UPDATE: fix directory traversal in Ark
    - debian/patches/CVE-2011-2725.patch: filter out '../' when previewing
      archives
    - CVE-2011-2725
    - LP: #878619
 -- Jamie Strandboge <email address hidden> Sun, 30 Oct 2011 16:09:14 -0400

Changed in kdeutils (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdeutils - 4:4.6.5-0ubuntu1.2

---------------
kdeutils (4:4.6.5-0ubuntu1.2) natty-security; urgency=low

  * SECURITY UPDATE: fix directory traversal in Ark
    - debian/patches/CVE-2011-2725.patch: filter out '../' when previewing
      archives
    - CVE-2011-2725
    - LP: #878619
 -- Jamie Strandboge <email address hidden> Sun, 30 Oct 2011 16:16:10 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdeutils - 4:4.5.5-0ubuntu2.2

---------------
kdeutils (4:4.5.5-0ubuntu2.2) maverick-security; urgency=low

  * SECURITY UPDATE: fix directory traversal in Ark
    - debian/patches/CVE-2011-2725.patch: filter out '../' when previewing
      archives
    - CVE-2011-2725
    - LP: #878619
 -- Jamie Strandboge <email address hidden> Tue, 08 Nov 2011 16:25:32 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdeutils - 4:4.4.5-0ubuntu1.2

---------------
kdeutils (4:4.4.5-0ubuntu1.2) lucid-security; urgency=low

  * SECURITY UPDATE: fix directory traversal in Ark
    - debian/patches/CVE-2011-2725.patch: filter out '../' when previewing
      archives
    - CVE-2011-2725
    - LP: #878619
 -- Jamie Strandboge <email address hidden> Tue, 08 Nov 2011 16:13:53 -0600

Changed in kdeutils (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in kdeutils (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in kdeutils (Ubuntu Natty):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in kdeutils (Ubuntu Precise):
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have unassigned myself from the Precise task because the version in precise now FTBFS. Since Jonathon mentioned 4.7.3 will fix this, for now we can wait on it.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Precise now has 4:4.7.3-0ubuntu1.

Changed in kdeutils (Ubuntu Precise):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.